EUVD-2026-35008
GHSA-fxr3-gvm4-m8vc
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
AnalysisAI
Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that hsweb-framework is deployed with the OAuth2 authorization server module (hsweb-authorization-oauth2) active and that at least one OAuth2 client is registered with a non-empty redirectUrl value. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 scores this at 2.1, consistent with the limited real-world impact profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a hsweb-framework deployment with OAuth2 authorization enabled and determines a registered client's legitimate redirect URI (e.g., https://app.example.com/callback) through OAuth2 client registration enumeration or documentation. The attacker crafts a phishing authorization URL substituting redirect_uri with https://app.example.com.attacker.com/callback, which passes the flawed startsWith() check. … |
| Remediation | Apply the upstream fix identified as commit c2882679a9125cea52678151af5ae213cbd52579, available via GitHub PR #355 at https://github.com/hs-web/hsweb-framework/pull/355. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att
Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attack
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary a
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` paramete
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redi
Share
External POC / Exploit Code
Leaving vuln.today